Daily Brief

OpenAI has banned several ChatGPT accounts utilized by Russian-speaking hackers and two Chinese nation-state groups to support malware development and other cybercriminal activities. The Russian-linked users employed ChatGPT to assist in creating and refining Windows malware, including debugging and establishing command-and-control infrastructures. These accounts were used for single-use interactions focused on incremental improvements to malicious tools, demonstrating advanced operational security measures. The malware developed with OpenAI's help was distributed via a code repository disguised as legitimate software, initiating a multi-stage attack to exfiltrate sensitive data. Techniques used in the malware included privilege escalation, detection evasion through powershell script modifications, and payload obfuscation using Base64 encoding. Additional capabilities of the malware involved harvesting user credentials and cookies, as well as sending alerts to the attackers via a Telegram channel. Separate from the Russian hackers, the Chinese-associated accounts engaged ChatGPT for diverse purposes ranging from Linux system administration, software development, and assistance in social media automation. OpenAI stressed that this misuse of ChatGPT highlights the need for vigilant monitoring and proactive measures to prevent AI-powered cybersecurity threats.

China’s National Space Administration successfully deployed a solar wing on the Tianwen 2 probe, which is currently three million kilometers from Earth. The Tianwen 2 mission targets the quasi-moon 469219 Kamoʻoalewa and comet 311P, marking significant progress in China's space exploration efforts. Hitachi Power Solutions, Japan, is developing an AI agent to preserve the knowledge of its experienced workers, enhancing operational efficiency. Internal documents reveal China's censorship strategy involves removing content prior to review, intensifying around sensitive anniversaries like that of the Tiananmen Square massacre. Equinix has expanded its footprint in the Asia-Pacific region by acquiring three datacenters in Manila, Philippines, boosting its capacity and potential for regional growth. Samsung's Device eXperience division has integrated Cline AI with Microsoft’s VS Code to streamline coding processes in product development. Amazon Web Services has launched a new region in Taiwan with three availability zones, enhancing service reliability amidst the region's frequent earthquakes.

Former NSA adviser Anne Neuberger highlights severe vulnerabilities in U.S. infrastructure, stressing the urgent need for enhanced cyber resilience. Neuberger criticizes the reduction of the Cybersecurity and Infrastructure Security Agency’s workforce under the Trump administration, linking it to weakened national security. Emphasizing the role of artificial intelligence, Neuberger advocates for employing AI to patch security gaps in critical infrastructure and legacy systems. CISA faces significant challenges with proposed budget cuts and a potential reduction of one-third of its workforce, raising concerns about a "brain drain" and its impact on U.S. cybersecurity capabilities. The FBI and Kaspersky issue warnings about new variants of Badbox and Mirai botnets, showing a resurgence and evolution of cyber threats. Republican congressman demands explanations from Homeland Security regarding the closure of CISA’s Mobile App Vetting program amid ongoing threats like the Salt Typhoon breaches by Chinese cyberspies. Kettering healthcare provider confirms patient data breach by ransomware gang Interlock, exposing sensitive patient and staff information. Two cybercriminals from the doxxing gang "ViLE" receive prison sentences for stealing data from a law enforcement database and using it for extortion.

A new variant of the Mirai malware is exploiting a command injection vulnerability in TBK DVR devices. The vulnerability, identified as CVE-2024-3721, was disclosed by a researcher in April 2024, with a proof-of-concept published. This flaw affects DVR-4104 and DVR-4216 models and their rebranded versions under multiple brands. Kaspersky detected the exploitation in its Linux honeypots, noting that the malware affects approximately 50,000 internet-exposed devices globally. Infected devices are used for DDoS attacks, proxying malicious traffic, and other harmful activities. Most detected infections are in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, according to Kaspersky's telemetry. It is currently unclear if TBK Vision has released any security patches for the vulnerability, highlighting the potential ongoing risk.

A supply chain attack has been discovered, targeting over a dozen packages associated with GlueStack in npm and PyPI repositories, affecting nearly 1 million weekly downloads. The compromised packages allow attackers to execute shell commands, take screenshots, and upload files from infected machines, with potential actions including cryptocurrency mining and data theft. The first package compromise was detected on June 6, 2025, with similarities noted to a previous npm package compromise indicating the possible involvement of the same threat actors. Malicious actors introduced a remote access trojan (RAT) capable of harvesting system information and public IP addresses, with maintainers having revoked access and deprecated affected versions. Two additional npm packages were found acting as both information stealers and file wipers, with one package specifically targeting application directories for deletion upon activation. A new PyPI package identified as a credential harvester masquerades as an Instagram growth tool but instead exfiltrates Instagram credentials to third-party services. Users of the affected packages are urged to roll back to safe versions to mitigate threats, highlighting the importance of maintaining secure software supply chains.

Enterprise adoption of AI technology remains low at around 10%, despite its potential in a multi-trillion-dollar market. Security concerns, rather than model performance, are primarily hindering the move from pilot phases to full deployment. Recent McKinsey report highlights slow AI adoption despite growing interest and investment, citing safety in the workplace as a major challenge. Chatterbox Labs executives emphasize the necessity for continuous security testing tailored to AI models to ensure safe usage. Current cybersecurity measures are not sufficient for AI; AI introduces unique risks and requires specialized security approaches. Significant acquisitions like Cisco's Robust Intelligence and Palo Alto Networks' Protect AI indicate a trend towards integrating robust AI security. Constant testing not only ensures security but can also prove cost-effective by showcasing that smaller AI models are sufficiently safe. Executives warn against trusting vendor claims about safety without verification, advocating for a more layered and comprehensive security strategy.

Cybersecurity researchers identified a campaign deploying malicious browser extensions in Latin America since early 2025. Over 722 instances of the malicious extension downloads have been documented across Brazil and other nations, impacting 70 companies. The campaign, named Operation Phantom Enigma, begins with phishing emails disguised as invoices, which initiate a download of the malicious extension through a multi-step process. The extension specifically targets Chromium-based browsers and aims to steal user authentication data from online banking and commerce sites. Attack techniques include disabling User Account Control (UAC), setting persistence in the victim's system, and connecting to a command-and-control server. The malicious extensions have been removed from the Chrome Web Store, but their identifiers were listed in the report. Attackers also use Windows Installer and Inno Setup files for delivery, suggesting sophisticated and diverse distribution methods. The report notes the strategic use of compromised company servers to send phishing emails, significantly increasing the likelihood of successful user compromise.

A substantial supply chain attack targeted NPM, affecting 16 'react-native-aria' packages with over 950,000 weekly downloads. The attack injected malicious code functioning as a remote access trojan into the packages, beginning on June 6 at 4:33 PM EST. The affected packages included heavily obfuscated code appended to the source files, making detection difficult on the NPM code viewer. The code closely mirrors a remote access trojan from a previous NPM package breach discovered by Aikido Security. This trojan can connect to a command-and-control server, receiving executable commands and manipulating the Windows PATH to execute malicious binaries. Aikido Security attempted to contact Gluestack, the maintainers of the compromised packages, but received no response. The same attackers are believed to be responsible for the compromise of four other NPM packages earlier in the week. The response from NPM regarding the incident is ongoing but expected to take multiple days.

Two malicious npm packages, 'express-api-sync' and 'system-health-sync-api,' were identified as data wipers disguised as utility tools. The packages, masquerading as database syncing and system health monitoring tools, were designed with backdoors enabling remote data-wiping capabilities. These data-wiper packages were uploaded to npm in May 2025 and subsequently removed following detection by security firm Socket. 'Express-api-sync' was downloaded 855 times while 'system-health-sync-api' saw 104 downloads before their removal. The 'express-api-sync' package included a hidden POST endpoint activated by a secret key, triggering file deletion commands in the application's directory. 'System-health-sync-api' featured multiple backdoor endpoints capable of executing OS-specific file deletion commands, providing feedback and system details to the attacker. Socket reported these incidents as unusual for npm, suggesting motives of sabotage or state-level disruption rather than financial gain, indicating a shift in the types of threats seen on the platform.

OpenAI identified and banned accounts linked to 10 separate malicious campaigns utilizing ChatGPT for nefarious activities such as social engineering, cyber snooping, and malware development. Several operations likely originated from China, involving the creation of a large volume of social media content aimed at influencing public opinion and political narratives. Some campaigns involved the generation of fake resumes and employment documents to infiltrate organizations and possibly conduct espionage. These were potentially linked to North Korean IT worker schemes. Russian entities utilized ChatGPT to influence political discourse and develop malware targeting Windows systems, notably with the ‘ScopeCreep’ project that aimed to steal sensitive data. OpenAI's banning of accounts also revealed the use of AI by Russian trolls to generate content for European elections, specifically targeting Germany. The misuse of OpenAI's tech also included the sophistication of developing tools to bypass security measures and automate tasks, highlighting an evolution in cybercriminal tactics. Despite efforts to curb misuse, the continuous adaptation and evolution of threat actors utilizing AI platforms like ChatGPT present ongoing challenges for cybersecurity and content governance.

Microsoft has released a PowerShell script to aid users in restoring the inetpub folder, which should not be deleted post the April 2025 Windows security updates. The inetpub folder was automatically created to mitigate a high-severity privilege escalation vulnerability identified as CVE-2025-21204. Confusion arose among users as the inetpub folder appeared even on systems without the Internet Information Server installed, leading some to delete it. Deleting the inetpub folder leaves systems vulnerable to the patched security issue, as it plays a critical role in maintaining certain security protocols. Users who deleted the folder can recreate it and its correct permissions by reinstalling Internet Information Services via the Windows control panel. Microsoft emphasizes that the inetpub folder, though empty, must not be removed as it increases protection against potential unauthorized access and vulnerabilities. The new script ensures the folder has the appropriate access control lists and permissions setting, reinforcing system security.

U.S. tax resolution firm Optima Tax Relief was attacked by the Chaos ransomware group, resulting in a data leak. The attackers stole and leaked 69 GB of data, including customer case files and sensitive personal information. Compromised data likely includes Social Security numbers, phone numbers, and home addresses, raising concerns over potential misuse. This attack was identified as a double-extortion scheme, where data was stolen and the company’s servers were encrypted. Chaos ransomware, a new operation since March 2025, also claimed a recent breach of the Salvation Army. Optima Tax Relief claims to be the leading U.S. firm in tax resolution, having resolved over $3 billion in tax liabilities. BleepingComputer has reached out to Optima for comments and will provide updates as new information becomes available.

Cybersecurity researchers have identified a new malware campaign utilizing the ClickFix social engineering tactic to infect macOS systems with the Atomic macOS Stealer (AMOS). Malicious actors are exploiting typosquat domains that resemble those of the U.S.-based telecom provider Spectrum to distribute the malware. Users are deceived into running malicious shell scripts by fake security checks claiming to be CAPTCHA verifications, which then download AMOS to gather sensitive information. The script is capable of harvesting system credentials, bypassing macOS security features, and executing additional malicious payloads. Evidence suggests that the campaign is likely operated by Russian-speaking cybercriminals, indicated by Russian language comments found in the malware's source code. Misconfigured delivery websites and inconsistent user instructions across different operating systems hint at a hastily arranged infrastructure for this campaign. ClickFix tactics are widely used in phishing scams and drive-by download attacks, exploiting human error and verification fatigue among users.

A new strain of wiper malware, termed PathWiper, is linked to pro-Russian hackers, targeting unnamed Ukrainian critical infrastructure. Researchers at Cisco Talos have attributed this cyberattack to a Russia-nexus advanced persistent threat (APT) group due to similarities with previous Russian operations. PathWiper is designed to corrupt the master boot record and NTFS file system, indicating a high level of sophistication and potential for extensive network damage. This malware strain programmatically identifies and destroys data on all connected storage devices by overwriting with random bytes. The attackers gained control of the administration system of the critical infrastructure entity, suggesting they had extensive system access. PathWiper's deployment method and tactics differ significantly from HermeticWiper, another wiper malware used at the onset of Russia's invasion in 2022. Wiper malware has seen a marked increase in usage since the outbreak of the Russia-Ukraine conflict, signifying a strategic shift in military tactics to include cyber warfare.

Kettering Health, a major Ohio healthcare provider, was targeted by the Interlock ransomware group, resulting in a significant breach and data theft. The cyberattack occurred in May, impacting several services including outpatient facilities, and forced Kettering Health to revert to manual documentation methods. The ransomware disabled Kettering Health’s electronic medical record systems and disrupted patient communication channels, although emergency rooms remained operational. The attackers claimed to have stolen 941 GB of sensitive data including patient information, employee records, payroll details, and police personnel files. Kettering Health has since restored access to its electronic health records and is in the process of bringing other systems back online. Enhanced security measures including network segmentation, improved monitoring, and revised access controls have been implemented to fortify the network. Interlock ransomware, involved in multiple global attacks particularly against healthcare entities, used sophisticated tools such as NodeSnake RAT in their operations.